Sighting a Great Blue Heron

San Francisco, photos
An immature Great Blue Heron at the San Francisco Botanical Garden

Wow. Michelle and I took a few pics of a strange bird at the San Francisco Botanical Garden the other day. Turns out that my Sibley Guide to Birds says that it is an immature Great Blue Heron. Turns out the only nesting area for these birds in San Francisco is the Botanical Garden.

DESI vuln. and Avi Rubin on NPR

elections, vendors, news, problems

NPR has finally done a piece on the recent Diebold vulnerability that was found by Harri Hursti and Black Box Voting ("Security Risk Seen in Electronic Voting Machines"). ACCURATE director, Avi Rubin, did a great job countering DESI's arguments.

The best part of this is when an older poll worker says:

"Did you see 051606? That's a PIN Number. Now where did they get [that]? See, there's a lot of things we don't yet know about these. She never mentioned PIN-word or password. Did She? [asks another poll worker] No, I don't remember saying anything about password or PIN number."

Of course that PIN number is the day of the said election. And it's a good thing they didn't run this story the day of the election or the PIN-number cat would have been out of the bag.

Backdoors, barn doors, front doors...

elections, hacks, problems, friends, research

Today Dan Tokaji penned a post on the recent DESI DRE vulnerability ("Diebold: Not the Usual Suspecters") that highlights an interesting distinction between language that computer scientists are using in explaining this vulnerability and more technical definitions.

In his post, Prof. Tokaji says,

The flaw is a "backdoor" that was apparently put there deliberately, to allow election officials to update software more easily.

Some of the computer scientists interviewed for the variety of stories surrounding this recent development have used "backdoor", "front door" and "barn door" types of analogies to illustrate the risk involved with this vulnerability. Analogies are necessary in this case for two reasons: 1) this vulnerability involves aspects of computer technology that most people don't even know exist (e.g., bootloaders) and 2) computer scientists who know the gory details have been reluctant to say anything very detailed for fear of facilitating exploits.

Here's an example of this kind of analogy from ACCURATE PI Doug Jones (from the New York Times, "New Fears of Security Risks in Electronic Voting Systems")

"This is the barn door being wide open, while people were arguing over the lock on the front door," said Douglas W. Jones, a professor of computer science at the University of Iowa

With all due respect, I don't think that this flaw meets what technical folks would call a "backdoor". The analogies used and the technical definitions can be easily conflated.

The wikipedia entry on Backdoor is instructive. In the technical sense, a backdoor is a way into a system bypassing authentication methods or normal security protocols. They are usually intentionally placed for either malicious access (unauthorized access after the system has been designed and deployed) or for administrative purposes (to allow maintenance of the system regardless of the user's ability to remember the authentication details). While this design shortcoming was definitely intentionally placed in the system to ease system administration (upgrading, etc.) it doesn't bypass any authentication methods. In fact, the lack of authentication associated with this vulnerability is what causes this particular flaw to directly violate 4.2.2 of the 2002 Voting System Standards. (The fix that DESI will have in place will reportedly use some sort of cryptographic digital signature to ensure that non-compliant software could not be loaded onto these machines.)

Anyway, this isn't necessarily a correction because Prof. Tokaji statement isn't necessarily wrong... it's just a comment on the different uses of the term "backdoor". Those of us technical folks should take head to be more precise in our analogies.

A Flickr'd Commencement...

berkeley, photos, friends, legal, education, iSchool

BBV report on DESI DRE vulnerabilities...

elections, certification/testing, vendors, hacks, news, problems, research, policy, usability

So BBV just released their report ("SECURITY ALERT: May 11, 2006 - Critical Security Issues with Diebold TSx" authored by Harri Hursti) on the vulnerabilities of the DESI AccuVote-TS and AccuVote-TSx DRE voting machines. This is an amazing piece of work on all fronts: BBV coordinating the effort, Harri and his company doing the analysis, and all parties ensuring responsible communication of the results. It has spurred California, Iowa and Pennsylvania to issue warnings to local election officials and a number of articles in the popular press: 1, 2, 3.

The extent of the vulnerability is so wide that the report refers to it allowing "offense in depth" -- a play on the "defense in depth" strategy advocated by computer scientists and the NSA1. By offense in depth they mean that any of three levels -- the bootloader (a small piece of software that loads all the other software), the operating system (the "foundation" of a computerized system) and/or voting application (what voters and poll workers interact with) -- could be used as a method of attack and possibly even "clean up" or conceal attacks in layers above.

It appears that the only immediate solution is to have a "trusted" copy of the machine's software loaded on each machine and then the machine completely sequestered until election day. (There's one important caveat: if the bootloader is corrupted, it may not allow itself to be written over by a new bootloader.) There will be no more allowing machines to be sent home with poll workers or delivering machines early to polling places... the BBV report shows how one could easily access the memory cards -- without damaging tamper-evident tape -- by simply taking the back of the machine off with a screwdriver.

Also, as some have commented in other places, this is a good time to have DESI DRE machines with a paper trail. The contents of a contemporaneous paper trail are essentially independent of the software and should be correct if voters take the trouble to check their contents.

To be sure, there are plenty of attacks that can be accomplished by exploiting this vulnerability that would render a paper trail useless. For example, here are a few attacks that are reasonably independent from a paper trail:

  • usability attacks that simply make it harder for certain groups of voters to express their preferences.
  • simple denial of service attacks (erasing the software, for example).
  • "vote-jumping" attacks where both the paper and electronic records are mis-recorded (banking on people not looking at the paper).
  • an attack that would subtly cause differences between paper trails and electronic records. (also counting on non-checking of paper... although this will show up in terms of irreconcilability. However, a few jurisdictions have the "paper always rules" kinds of laws.)

However, not having some sort of permanent, independent record of each vote greatly increases the opportunity for mischief. In that light, it is somewhat disappointing to see Georgia's response that "We are confident the robust and vigorous program of physical and operational security procedures we currently have in place in Georgia- including multiple audits and reviews to assure compliance- erects a strong barrier to prevent outsiders from accessing our voting equipment without our knowledge or without being detected." (from here). What's it going to take? A hacked election?

I've also found evidence that these vulnerabilities have been present since about 2002. Which goes to show, as Doug Jones has said, that the federal certification laboratories are incapable of or unwilling to conduct even the most basic of security assessments.

It's probably a good day to be in the tamper-evident tape or paper ballot printing business.

1Defense in depth. In Security Recommendation Guides. National Security Agency, 2003.

UPDATE [2006-05-12T12:29:06]: Bev pointed out that it would be very difficult to ensure that a corrupt bootloader would, in fact, replace itself with a new bootloader when asked.

Contact / Help. (cc) 2021 by Joseph Hall. blog software / hosting.
Design & icons by N.Design Studio. Skin by Tender Feelings / Evo Factory.
And a few words about the structure of the eye . Everyone " retina ". Especially often we hear it buy clomid online in the phrase " retinal detachment ." So what is the retina ? This - the front edge of the brain, the most distant from the brain part of the visual analyzer. The retina receives light first , processes and transforms light energy into irritation - a signal that encodes all the information about what the eye sees . The retina is very complex and in their structure and function . Its structure resembles the structure of the cerebral cortex. The shell of the retina is very thin - about 0.14 mm.