Vulnerable Machines

elections, certification/testing, hacks, news, problems, family, usability

So, while waiting on pins and needles to hear from the Black Box Voting crew about their report concerning serious vulnerabilities in DESI DREs, I'll note another Diebold machine acting strangely.

Michelle and I were getting cash at our local ATM out of a Diebold-branded ATM. Michelle noticed that the "Get Cash" button on the screen was greyed out; the machine was out of cash. She hit the "Return Card" button and out of the ATM popped her driver's license.

I said to myself, "What the hell?"

It turns out Michelle had inserted her CA driver's license by mistake, entered her PIN as prompted and seen the greyed out cash button on the next screen, the main menu. I tried to get cash out of the machine with my card afterwards and the machine was truly out of cash. I wonder what would have happened if the machine did have cash in it? Hopefully nothing too interesting.

Recovery 2.0

blogging, open source, berkeley, friends, policy, iSchool

Callie Jones and Sarai Mitnick (iSchool students) have had their final paper from our open source class published in this month's issue of First Monday ("Open source disaster recovery: case studies of networked collaboration").

It's a great piece that examines the collaborative response by volunteers to the problems of missing people during the Hurricane Katrina and Asian Tsunami disasters. One neat highlight: Ping is called "the Godfater of the PeopleFinder Interchange Format (PFIF)".

New Pam papers

copyright, berkeley, friends, research, policy, legal, iSchool

Pam, has just posted three new papers (via the "Pamela Samuelson: Papers" feed):

music, hacks

The crypto rap from MC Plus+ is rad.

(via mroth in person and then Schneier via RSS).

Serious Security Flaw in DESI's DREs

elections, reform, problems, policy

Update [2006-05-10T16:23:59]: I wrote this without knowing certain things that I know now. This whole situation seems to be being handled very responsibly and carefully considering the possible impact of the details. For more, see Ian Hoffman's story: "Voting glitch said to be 'dangerous'".


This is the text of a note I just sent to the Election-Law listserv in response to a post by Candice Hoke (Director, Center for Election Integrity):

There is yet a further troubling wrinkle [outside of reported problems with DESI's optical scan equipment failing to read tens of thousands of absentee ballots in Cuyahoga Co., OH] that I believe you will start to see. A very serious security vulnerability has recently been partially disclosed that affects all of Diebold's DRE technology ("Voting machine warning issued: Schuylkill, Carbon bolster security efforts after glitch found."). This design flaw (note: not a bug, but a flaw in purposeful design) would allow arbitrary code to be run on a machine with moments access to the machine before the polls were opened.

Unfortunately, the vulnerability has been known since at least 18 Mar 2006, and yet primary elections were conducted on vulnerable equipment (as in OH) where it appears that the proper defensive mechanisms were not put in place to protect against this vulnerability. It's now not clear if this is because warnings related to the vulnerability were never communicated to entities such as the OH SoS or if the warnings fell on deaf ears due to the provenance of the information (from Black Box Voting (BBV) who are far from being or being seen as neutral in this area).

I think this is symptomatic of a need for central, responsible and neutral disclosure of election technology vulnerability information from an entity such as CMU's CERT Coordination Center. CERT/CC publishes vulnerability alerts about other software products that include a vague description of the issue and steps that defenders can take to ensure they are protected against those who would exploit the vulnerability. If this information had been communicated to jurisdictions, such as those in OH, running primary elections on DESI DRE equipment in a timely manner, we'd at least be more confident that the myriad of problems we've seen this week were not a consequence of this vulnerability.

In short, I think it's time for the EAC to start talking to entities like CERT/CC to see if this kind of role could be filled. BBV will release a redacted version of their full report on 10 May (unredacted reports will be sent to election officials)... However, there is quite a bit happening in the time between now and then on this equipment and it takes a nontrivial amount of time to secure systems against this particular vulnerability.

best, Joe

Contact / Help. (cc) 2021 by Joseph Hall. blog software / hosting.
Design & icons by N.Design Studio. Skin by Tender Feelings / Evo Factory.
And a few words about the structure of the eye . Everyone " retina ". Especially often we hear it buy clomid online in the phrase " retinal detachment ." So what is the retina ? This - the front edge of the brain, the most distant from the brain part of the visual analyzer. The retina receives light first , processes and transforms light energy into irritation - a signal that encodes all the information about what the eye sees . The retina is very complex and in their structure and function . Its structure resembles the structure of the cerebral cortex. The shell of the retina is very thin - about 0.14 mm.