Black Box: Wired reveals new security flaws for Diebold

http://www.wired.com/news/privacy/0,1848,59925,00.html

"Following an embarrassing leak of its proprietary software over a file transfer protocol site last January, the inner workings of Diebold Election Systems have again been laid bare.

"A hacker has come forward with evidence that he broke the security of a private Web server operated by the embattled e-vote vendor, and made off last spring with Diebold's internal discussion-list archives, a software bug database and more software.

"There is no sane reason to put the corporate jewels on an Internet-facing server. They were basically asking to be hacked," said Jeff Stutzman, CEO of ZNQ3, a provider of information security services. "This is the kind of behavior you expect of a startup company that's only concerned about selling their first product."

* * * * *

This article details (yet again) weak security at Diebold which they (yet again) deny is a problem. At what point do election officials and Diebold spokesmen stop minimizing this problem? Ever?

Bev Harris
http://www.blackboxvoting.org

Is this the guy behind the story that was reported last week?

Re your question--

At what point do election officials and Diebold spokesmen stop minimizing this problem? Ever?

--answer, as long as they've spent a bunch of money on these systems, the election officials have a big cya stake in "believing" Diebold. That $56 million MD spent is a great big career-killing mistake for someone if the critics are proved correct.

The one thing that seemed to really puncture their confidence so far was Avi Rubin's study, and so of course they respond by finding an "independent" firm to "study" the question that is pretty much guaranteed to give 'em the answer they want. I'm still wondering if there's any chance of getting Avi, Dill and the others to respond preemptively by releasing a list of issues the SAIC report must address in order to satisfy them. I think they currently have the cachet with the media that would let them get out ahead of this report and position themselves as the arbiters of its legitimacy when it comes out. We want the media to be primed to go back to these guys and say, well, did they answer your criticisms or not? Rather than being in a postion where our guys are waving their hands trying to get press attention and the journalists are saying "The SAIC analysis sez there's no problem so what are you still harping on this for."

on edit: dropped a phrase

DO

feet$ = hold$ + "2" + fire$

LOOP UNTIL(HellFreezesOver%)

...on slashdot than DU. :toast:

Perfect! :evilgrin: :thumbsup:

I could use the money.


Stumpy

... but, I still think there's a role for SysTest in this and other matters.

Is there anyone in Maryland who could get a state rep to make a formal request of the SoS there to create a double-blind test with that ITA (since SAIC, though presumably well-versed in computer security, is not an official ITA).

Cheers.

in missing all the flaws the first time around. That's a good idea.

I'd love to see someone write a letter to propose this.

Bev

The double-blind test would also have to include the source code for Windows, since the rewrite revelations, would they not?
:evilgrin:
Gordon25

The Globe article yesterday was a "spin" in that it said that the report endorsed Touch screens - true - and then left out the comments on the need fpr a paper trail to audit.