Saturday, September 23, 2006

News Item 7307 Security Analysis (and Response) of Diebold Voting Machines.

Security Analysis (and Response) of Diebold Voting Machines.

Ari Feldman, Alex Halderman, and Ed Felton released an amazing paper on the security of Dielbold's e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities they've uncovered. Here is the paper's abstract:

Security Analysis of the Diebold AccuVote-TS Voting Machine

Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
Princeton University

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.

Along with the various weaknesses they discuss in the paper, Felton later discovered that the lock "securing" the machine's components from outside tampering could be opened with a standard hotel mini-bar key. Unbelievable.

Predictably, Dielbold responded (PDF) with their PR team in full spin mode, but Felton easily dispenses with their generally off-point retorts. Felton's conclusion:

Secure voting equipment and adequate testing would assure accurate voting -- if we had them. To our knowledge, every independent third party analysis of the AccuVote-TS has found serious problems, including the Hopkins/Rice report, the SAIC report, the RABA report, the Compuware report, and now our report. Diebold ignores all of these results, and still tries to prevent third-party studies of its system.

If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.

[michaelzimmer.org]
6:18:27 PM  PermaLink   / trackback []  


News Item 7306 Texas Investigators Reveal Another Sony DRM Flaw.

Texas Investigators Reveal Another Sony DRM Flaw.

Hot on the heels of the announcement of Sony BMG's settlement with its Canadian customers comes more news about the dangers of Sony BMG's DRM. According to Texas government investigators, Sony BMG's XCP software may cause a computer's CD-ROM drive to be disabled. If a CD with XCP technology is loaded on a computer running AOL's "Safety and Security Center" software or CA Inc.'s PestPatrol, the programs will attempt to delete the XCP components and may, in the process, disable the CD-ROM's configuration in the PC's operating system.

This news underscores the need for strong limits on Sony BMG's future use of DRM, to ensure that Sony BMG carefully vetts the software it distributes with its CDs, takes appropriate steps to correct any potential problems, and advises music fans of exactly what is loaded on an innocent-looking CD. That way, customers can protect themselves against potential security vulnerabilities. Small wonder that Canadian public interest organizations are challenging Sony BMG's refusal to commit to such limits in the Canadian rootkit settlement.

[EFF: Deep Links]
6:15:00 PM  PermaLink   / trackback []  

News Item 7305 Security Expert Predicts VoIP Hack Attacks.

Security Expert Predicts VoIP Hack Attacks. Corporations switching to Internet telephony should be wary of security risks, 'The Grugg' says. [PC World: Latest Technology News]
6:13:00 PM  PermaLink   / trackback []  

News Item 7304 HP Chief Ethics Officer At Work.

HP Chief Ethics Officer At Work.

I used to think being the spokesperson for the NSA was the easiest job in the world (especially if>story.

Concern over legality was reflected in an e-mail message sent on Jan. 30 by Mr. Hunsaker, the chief ethics officer, to Mr. Gentilucci, the manager of global investigations.

Referring to a private detective in the Boston area, Ronald R. DeLia, whom the company had hired, he asked: "How does Ron get cell and home phone records? Is it all above board?" Mr. Gentilucci responded that Mr. DeLia, the owner of Security Outsourcing Solutions, had investigators "call operators under some ruse."

He also wrote: "I think it is on the edge, but above board. We use pretext interviews on a number of investigations to extract information and/or make covert purchases of stolen property, in a sense, all undercover operations."

Mr. Hunsaker's e-mail response, in its entirety, said: "I shouldn't have asked...."

Please if Hunsaker loses his job over this>melyviz

[27B Stroke 6]
6:10:53 PM  PermaLink   / trackback []  


© Copyright 1997- 2006 Paul Hardwick, with Web Hosting provided by MacRonin.com .
Last update: 10/1/06; 12:25:47 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.