Scientists Say Unreliable Software Exposes California Recall to Fraud

I'm on it!!

:kick:

"the machines' source code, which a Diebold worker anonymously published on the Internet ..."

bzzzzzt--Wrong! Thank you for playing.

A quibble, I suppose, but the point is that they put the actual source code on an anonymous server, meaning that no log-in was required to download files off of it. I.e., this is something that should be kept in greatest security, not just because its proprietary (which it shouldn't be) but because the democratic process depends on it, and they left it hanging out in the open where anyone could fiddle with it. Which speaks volumes about their attitude toward security generally.

This is not quibbling about details; there is a huge difference:
--------------------------------------------------------

Exposing their code by "anonymous posting" means that the company has some employees who have grossly violated the company's trust by posting as an "anonymous user", on forums such as DU, confidential information that would otherwise not be expose to the world.

Read: They have security, but they have some untrustworthy employee who broke the law.

--------------------------------------------------------
Exposing their code by "anonymous server" means that the company is totally clueless and/or cavalier about systems security.

Read: The company is populated by either incompetents, criminals, or idiots who should not be trusted with any remotely sensitive transactions.

did it to expose Diebold, or knew that someone inside Diebold
was planning on rigging the system??

The most secure systems are always beatable by the person(s)
holding the keys.

Diebold itself set up an anonymous FTP server so that field services and support personnel, as well as various county and state organizations, could exchange software and data. For those who don't know, an anonymous FTP server is like an open file sharing system. All you have to do to gain access to any file on the system is type the word "anonymous" at the password prompt.

The software wasn't posted anonymously, it was posted by the company itself, and anyone was free to modify it. Of all of the people and organization that used this, I'm sure that more than a few knew that this set-up was insecure. The question is why it was allowed to be insecure, and untracable, for so long. Just saying that Diebold was ignorant doesn't really make sense here. To an experienced computer person such as myself, this looks like a deliberate attempt to provide cover for vote tampering.

"Quick and Dirty".

Often leading to Fast Hell.

"The most secure systems are always beatable by the person(s)
holding the keys."


-------------------------------------------------------
On a real high security system, the private key is stored in a cryptographic accelerator, such as an nCipher card.

The memory content of these cards cannot be copied. There is no way from the computer that you can access the internals of the card.

They also have a putty like material that totally covers the circuitry so that they can't be logic probed. If some one tries to scrape off the putty, the card will self-destruct.

The private key is also distributed to N number of administrator cards, usually 6-10 in a high security environment, and it requires K number of them to make another instance of the nCipher card in the same security world.

On an application I wrote, we have 10 admin cards that REQUIRE 5 administrators to build a new card (each card is also password protected). You'd have to co-opt 5 of the most trusted people in the company to activate a new decrypter; mind you, you still wouldn't have the private key. That's still protected by another encryption layer when the key is distributed among the cards.

To make things even more annoying, there are operator cards that can be set to be required at computer bootup time. So, some one may steal a whole decryption system, but they won't be able to start it up. Beside, it's kind of obvious that it's time to change the keys when a whole, monitored, system disappears.

We also lock the cryptosystems in their rack, and they all reside in a limited access and camera-logged high security physical location.

The point is secure systems can be built. They have been, and are being built all the time. There's no mystery of how to write them. There's all sorts of code, documents, tools, and hardware specially designed to make it easy, safe, and nigh uncrackable (by modern technology - barring distributed and quantum computing).

-------------------------------------------------------

IT'S NOT F*CKING MAGIC!

Diebold are evil little idiots. It's too damn obvious to any computer professional that they haven't even attempted to make anything even slightly secure. It's time to check up on who did the certifications, I think. Smells like payola, to me.

We're look here at either a conspiracy of criminal incompetence, or treason, depending on whether or not you've still have any patience and generosity in you after three years of "Mr. Rosey Rump Patch No Vasoline Please".

This is so obvious to ANYONE with any actual knowledge of computer security and/or secure transaction auditing that the fact that this is even an issue makes one suspect the worst.

Truth-in-advertising should require these voting machine models to be named something like "Friendly Fraud" or "EZ Scam." It's really that obvious -- just like the Monty Python "Crunchy Frog" sketch.

"What do you do when a candidate dies or pulls out of race couple days before the election?" O'Connor asked. "In a computerized system, you can make that change on the fly."

O'Really??? Are the certification officials going to certify the software patch right before an election? Doubt it, but it would be an ILLEGAL election if they didn't. Plus there is still no paper trail which a random audit could verify on those machines.

if Bush would notify the election officals of the candidates deaths, beforehand.

If, indeed, these machines allow election fraud, it'll be good if it comes out now. Davis is toast already, so the recall is going to be a disaster any way you slice it. If this election results in an outrage against the machines, at least the recall will have served some purpose.

Do we have an icon for grasping at straws?

BTW, I am from California, so I am talking about my own state. I'd never make a remark like that about what someone else was going through.

(Oh, shut up, Alice, you're only making it worse.)

No way. Gary Coleman is going to win this thing fair and square.

:-)

on edit: oops

Don't let this story get overlooked because of the blackout news.

http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030814/ap_on_el_gu/recall_electronic_voting_1

When I posted, it had a perfect 5.0 rating, and was at the top 'o the heap. Now, just a few minutes later, here are the stats:

Its current average rating is 3.77 with 13 vote(s).

Sounds like the Freepers are hitting this with a "1" score. :argh:

though I'm sure they will tell you different

can't fool us!!!

It picked up a bit of steam there. Thanks Hedda Foil

i don't see the "rate this topic" area ANYWHERE!

read and rated! :hi:

and Junior will win California, done deal.

Free elections? .......piffffle

...to Canada. The Republican 1000 Year Reign might only last 25 years, but that's too long for me and mine. If California goes down, I think we know what's gonna happen in 2004.

and everywhere else in Canada is too damn cold!!
Is there any way to get this country back?

Ask the people who are buying them.

They need to kick Diabold out of the voting booth manufacturing industry, NOW. Maybe if someone gamed the CA recall election, these folks will wake up.

Or at the very least threatened to by selling election stealing smart cards on the internet.

All elections should be place on hold till their is a
resolution to the dire problem!!!