The Diebold Voting-Machine Hack
Warm John writes to mention a short article on Doctor Dobbs Journal about the Hack that couldn't be done. "Hacking a Diebold voting machine was the focus of Cigital's Gary McGraw's keynote at SD Best Practices. He discussed 'Security Analysis of the Diebold AccuVote-TS Voting Machine,' a paper released by Edward Felten, Ari Feldman, and Alex Halderman of the Princeton Center for Information Technology Policy. 'The paper details a simple method whereby the Princeton team was able to compromise the physical security of a Diebold voting machine, infecting it with a virus that could change voting results and spread by memory-card to other machines of the same type.'"
Note: I have been working on voting integrity issues in North Carolina for a little while now, and advised the committees that drafted the bill in question.
The state passed a pretty comprehensive election reform bill, which included the provision that all vendors must hand over all code that runs, is installed on, or is otherwised used in the operation of the voting machines. No if, ands, or buts.
Our State Board of Elections did not like this. They want paperless voting machines, and badly. Like a six-year-old that's been told to clean up its room, they're dragging their feet on enforcing these (and other provisions). When writing the Request For Purchase (bid requirements), some staffer added a "clarification" that the vendors only had to hand over "available" software, and simply explain why they couldn't hand over the rest. In other words, "Here's why I'm going to be breaking the law today."
Lawmakers were not happy. The SBOE, however, didn't particularly care. They didn't see a problem with only handing over a portion of the code, and wanted to interpret the law as loosely as possible.
Diebold pointed out that "available" was different than "everything", and actually got a restraining order that prevented the state from suing them for not complying with any of the new provisions of the law. This case essentially overturned that ruling, saying "Uh, no, you actually have to comply with the law." Technically it says, "Ask your lawyers for legal advice, not the court, we're not going to pre-judge the law before there's an actual conflict (i.e., you actually get sued for violating these provisions."
So Diebold is going to take their ball and go home, since they would actually have to play by the rules. Oh well.
On a side note, I didn't see any evidence that Diebold actually tried to get a Shared Source license from Microsoft, which would actually let them escrow the code. Maybe Diebold didn't actually want to escrow, well, anything?
Imagine that.
-jdm
First person to do this? THat'd be the republicans in the 04 election.
I still have more fans than freaks. WTF is wrong with you people?
You, u.s. people, have been SCREWED BADLY.
Does it take someone to say for you to realize it ?
Read radical news here