Slashdot Mirror
Diebold Voting Systems Grossly Insecure
Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'
Just from the above quote, this doesn't sound like the kind of security that any bank would tolerate. Is this a case of lawmakers awarding contracts under duress after being wowed by cool "tecknoligee" in order to avoid being the next "Florida 2000," or is Diebold simply a victim of its own success for having potentially higher standards for commerce than voting?
[sarcasm]
It almost seems like the authentication process to make this work would need something as stringent as, say, a National ID card...
Ooh, and we could use a Poll tax to pay for the equipment!
[/sarcasm]
I take it you haven't been unemployed too recently. Fortunately, I'm still employed right now, but I can see the writing on the wall. Our department has been doing some machete-style slashing of the budget, and has been letting A LOT of IT people go (programmers and technicians). And those they let go were great at their job.
A bunch of people at work were saying the SAME THING YOU ARE. They said their skills were current, had qualifications, and were good at their job. Now, it's 3 months later and they're still outta work.
Sure, I know some people (from elsewhere) that got jobs reasonably quick, but that's because they KNEW SOMEONE on the inside, or had some high connections. I'm not being bitter, they've admitted it to me.
Some people with jobs or in school tend to think that everything is fine-and-dandy for people so long as they know their stuff and look hard. But those people are usually the first to start freaking out that they can't find jobs.
It's a cliche, but in today's market it's not what you know, but who you know.
Very good point.
In fact, Diebold laid off a good number of their QA, code integrity staff and software developers in late-2001/early-2002, when this product was under heavy development.
"Can of worms? The can is open... the worms are everywhere."
Let me tell you a story about Diebold.. I almost went to work for them in their North Canton, OH office in the mid-nineties. They were doing some smartcard work themselves (research) and some interested crypto projects that I thought would keep me busy. At least, that was the story I got during the interviews.
But then I talked to a low-level employee. He was worried because they kept laying off staff, then employing new people. Seems that once a project was "done" (meaning, shipped first version, wrote up your research findings, etc.) they had the nasty habit of laying off the entire team. They would literally hire a team to do a job, then fire them for each project. There was no continuity between versions of software (if there were any), and things tended to languish, while they tried to make a quick buck.
And based on what I was told, this wouldn't be the first time that one of their products was wholly insecure from the get go. Don't get me started on their ATMs piss-poor security features from that time. Things just didn't get fixed until someone got screwed.
PS. I turned down their generous offer of employment.