The Case of the Diebold FTP Site by Douglas W. Jones

Bev, have you seen this?

... Programming the AccuTouch machine for a particular election is also done using PCMCIA cards written on the GEMS system at the central offices and then loaded into the voting machine, and the permanent record of the election that is stored for recount purposes is stored on a PCMCIA card (with a duplicate record stored on the internal hard drive of the voting machine in case of failure). The 2002 Examination Report for the state of Washington contains a good summary of the use of PCMCIA cards on this system.

The security of all of these network links, including those involving hand carried data, is critical! It is noteworthy that PCMCIA cards are about the size of playing cards and we know that sleight of hand trickery with playing cards is a highly developed art, so cryptographic security of the data on these cards is just as essential as it is for data transmitted over a public network.

In additional discussion at the first Iowa examination of the AccuTouch system, it came out that neither the technical staff nor salespeople at Global Election Systems understood cryptographic security. They were happy to assert that they used the Federally approved Data Encryption Standard, but nobody seemed to understand key management, in fact, the lead programmer to whom my question was forwarded, by cell-phone, found the phrase 'key management' to be unfamiliar and he needed explanation. On continued questioning, it became apparent that there was only one key used, company wide, for all of their voting products. The implication was that this key was hard-coded into their source code! This problem was also discussed in my testimony before the House Science Committee. ... <more>

http://www.cs.uiowa.edu/~jones/voting/dieboldftp.html

like crytography, so why would they use it or even more important, miss it?

sounds like just the right bunch to hire :evilgrin:

peace

then anyone with a copy of black ice and the skill level of a game hacker could own an election, any election, every election.

This is treasonously criminal negligence.

Let's get it right now. The only electronic voting system worth having includes a paper audit trail, voter verifiable, and all source, compiled code and patches registered with the GAO.

Nothing less will do!

without which...

I suggest we make each STATE college Computer Science Department the official certifiers of election software. Let the professors and students certify the election software according to state laws. Take the politics and politicians out of the certification process.

People like Professor Doug Jones are emminetly more qualified to do certification than a group of political hacks.

Hell, let's let them WRITE the software. ;-)

Eloriel

we're in the process of setting up a petition you can all sign calling on Diebold to publicly answer Professor Jones' questions.

We'll have it ready in a little bit.

Not enough nerve to take on someone with the credentials of Professor Doug Jones.

And this:

"The FEC/NASED Voting System Standards explicitly forbid self-modifying code...Some would define it narrowly in terms of machine instructions that are overwritten by other instructions at run-time, while others define it broadly to include any dynamic linkage (dll files) or interpretive execution, since all of these can be used to change the function of code after the fact."

-- Douglas W. Jones, Associate Professor, The University of Iowa, Iowa Board of Examiners for Voting Machines and Electronic Voting Systems and expert congressional witness on electronic voting machines

Okay, the above is as in creating dll files "makefile", hiding programs in dll files ("we cribbed this from the Wine program" -- and stuck it in a dll), and special homegrown interpreter files (ie the whole set of abo files.)

And for added fun, I think this is what Professor Jones might find particularly disturbing:

http://www.blackboxvoting.org/pdf/DLLMAN.PDF

Bev