Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

HERE IT IS: ITA REPORT ON DIEBOLD *** CA Senator Bowen requests input

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread		 This topic is archived.
Home » Discuss » Topic Forums » Election Reform Donate to DU
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 10:19 PM
Original message
HERE IT IS: ITA REPORT ON DIEBOLD *** CA Senator Bowen requests input
http://www.ss.ca.gov/elections/voting_systems/diebold_code_review_final.pdf

From Bowen's office:
"Anyone have any thoughts????"

Evan L. Goldberg
Chief of Staff
Senator Debra Bowen
(D-Redondo Beach)
Evan.Goldberg@sen.ca.gov
(916) 651-4028
(916) 215-5953

----------------------------

I just received this & haven't read it yet.
The test was done by "CIBER ALWAYS ABLE" Labs.
Maybe they mean that they're "always able" to certify crap and disregard fatal flaws and illegalities?

:eyes:
Printer Friendly | Permalink |  | Top
mom cat Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 10:27 PM
Response to Original message
1. K&R for Debra Bowen.
Printer Friendly | Permalink |  | Top
 
Merlot Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 10:33 PM
Response to Original message
2. " Dibold Election Sstems, Inc. retained the services of CIBER...
...in order to determine the degree to which the Diebold Election Systems compiler, interperter, and script source code and funcionality comply with security industry and coding best practices..."

What this tells me is that Diabolical wanted someone to say that they complied - NOT that they had security issues. I'm guessing the results of this "report" will be that, yes, Diabolic does indeed "comply."

So, I'm a little cynical...and more than happy to be proved wrong!
Printer Friendly | Permalink |  | Top
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 11:10 PM
Response to Reply #2
5. Anyone who isn't cynical isn't paying attention.
These are vendor-hired ITAs. They provide rubber-stamp certification for all of the garbage that comes their way.
Printer Friendly | Permalink |  | Top
 
Wilms Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 10:49 PM
Response to Original message
3. Here's the Exec Summary.

EXECUTIVE SUMMARY

The TSX interpreter inspected appears to be ready for an election. The AV-OS interpreter inspected appears to be sufficiently secure to run an election if the recommended corrective measures are applied to the interpreter and rechecked. If trusted chain-of-custody were established to prevent tampering with memory cards between the GEMS system and the AV-OS voting machines, then the existing units would be safe for an election.

The fact that the programs appear to provide adequate security shall not be interpreted to mean that the programs are without security vulnerabilities or are impenetrable. It does mean that the programs appear to provide reasonable assurance that it can protect the confidentiality, integrity, and availability of the information it processes, stores, and communicates.

It is standard practice at CIBER to provide recommendations in addition to review findings. In addition to the recommendations that will be placed throughout this report, one high-level recommendation is provided:

    • Certain vulnerabilities in this report may require a portion of the code to be modified in order to correct the vulnerabilities identified. To ensure that the efforts to correct vulnerabilities do not introduce new vulnerabilities, CIBER strongly recommends retesting of the remediated code prior to its migration to a production environment.

The interpreter had three security vulnerabilities and a small number of requirement violations that were not capable of being exploited by malicious code or operators. Of the three serious problems, they can be fixed with minor code changes.

No issues were discovered with the compiler that impacts the security of the system. There were no findings in the inspection of the AccuBasic Scripts that would materially impact the security of the system.


Printer Friendly | Permalink |  | Top
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 11:48 PM
Response to Reply #3
7. Seems a lot like McPherson's certification. "If, if, if."
Why certify BEFORE problems are resolved instead of after? (Well, okay. I know why.)
Printer Friendly | Permalink |  | Top
 
Wilms Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Mar-01-06 01:49 AM
Response to Reply #7
9. And it seems to model the Berkley report.
OVERVIEW AND APPROACH

The CIBER Huntsville and CIBER Global Security teams were tasked with performing a combination of testing and analysis of the Diebold Election System’s Source Code to identify security and functionality vulnerabilities. The testing was structured to identify and evaluate as much potential vulnerability as possible within a reasonable/controlled level of effort.


It seems one thing for the Berkley team to avoid the question of the presence of interpreted code as a violation of the VVSG and instead recommend band-aides. And it seems quite another for the ITA to side-step the issue, too. Though there was this line in the Exec Summ that caught my eye.


The interpreter had three security vulnerabilities and a small number of requirement violations that were not capable of being exploited by malicious code or operators. Of the three serious problems, they can be fixed with minor code changes.


If I read that correctly, they're saying that there are three security vulnerabilities that can be fixed with minor code changes.

And they say there are a "number of requirement violations", but argue that in the case of the TSx DRE, it's acceptable because they could detect that. Actually, I'd like to hear from Ion Sancho and Harry Hursti about that. In the middle paragraph, they seem to say they can't confirm the Hursti Hack, though they acknowledge as possible.


AV-OS and TSX Finding: Three violations exist that allow manipulation and reading of data in global space. Three different types of modified tokens used to index data outside of their intended memory range cause the vulnerabilities, each with slightly different effects. These can only be exploited by a modified AccuBasic object file.

It is quite possible that these exploits can be used in conjunction with each other in a way to produce an escalation of privileges, depending on the operating environment and the compiler settings. The evaluation team confirmed the flaws are present and considered dangerous, but proof-positive exploit for an escalation was not possible without access to a working development environment and appropriate development software.

The TSX environment contains a check to validate the AccuBasic object files, so if a file is tampered, the tampering will be detected. Therefore, this problem is more severe for AV-OS than it is for TSX. TSX can still be considered election ready because such tampering will be detected.


I think that may be the argument Shamos made when he recommended decertifying the OpScans and letting the DRE's in. Very ugly consequence.
Printer Friendly | Permalink |  | Top
 
Wilms Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Mar-01-06 05:50 AM
Response to Reply #9
11. More yakin' about it.

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x414997#top
Printer Friendly | Permalink |  | Top
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Mar-01-06 06:57 AM
Response to Reply #11
12. Thanks for linking that.
I tried reading the ITA report and my eyes glazed over.
If my migraine is gone by tomorrow, I'll read it then. ;)
Printer Friendly | Permalink |  | Top
 
Amaryllis Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 11:09 PM
Response to Original message
4. Nick, do you have something from Bowen's office? What else did she
say? Was the entire message, "Anyone have any thoughts?" ????
Was there no context other than that? That's pretty vague.
Printer Friendly | Permalink |  | Top
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 11:17 PM
Response to Reply #4
6. That was the complete message of the email.
Edited on Tue Feb-28-06 11:32 PM by nicknameless
It was sent at the end of the day by her Chief of Staff.
This wasn't one of Senator Bowen's formal emails, in other words.

He titled it: "SOS Releases Diebold ITA Report". That's the only thing I had left off.

I *did* however receive an email today from Senator Bowen about her petition to McPherson, asking that he reverse his decision on the certification of Diebold. Sadly, only about 2,500 people have taken part so far. :(

There is still time. If you haven't signed yet, PLEASE do: http://ga3.org/campaign/diebold


Edited to add: the .pdf file link was included with the email. Sorry, if I was unclear about that.
Printer Friendly | Permalink |  | Top
 
kster Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Feb-28-06 11:52 PM
Response to Reply #6
8. Of course only 2500, because the voting machine vendors are in
bed with the CM, If the truth was put on TV so that the public could see the facts from both sides, most people here know who would win that debate and SO DO THEY. Thats why they keep it SILENT in the media. NGU......
Printer Friendly | Permalink |  | Top
 
EFerrari Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Mar-01-06 01:50 AM
Response to Original message
10. kick
Printer Friendly | Permalink |  | Top
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Mar-01-06 08:16 PM
Response to Original message
13. Kick
:kick:
Printer Friendly | Permalink |  | Top
 
garybeck Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Mar-02-06 01:26 AM
Response to Original message
14. uh, don't forget this report too
From Berkeley University:


Security Analysis of the Diebold AccuBasic Interpreter
http://www.solarbus.org/election/docs/security_analysis_of_diebold.pdf
Printer Friendly | Permalink |  | Top
 
nicknameless Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Mar-02-06 02:14 AM
Response to Reply #14
15. Yes, we kicked the Berkeley report around last week.
It is all very damning.

Did you check out Senator Bowen's shredding of SoS McPherson today?
She addresses the flaws identified in both the Berkeley report and the ITA report.

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x415129
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list Click to add this author to your Ignore list Thu Dec 26th 2024, 04:04 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Topic Forums » Election Reform Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC