Another Major
Report Challenges Security Of Electronic Voting!
http://avi-rubin.blogspot.com/2006/10/uconn-voter-center-report-diebold-av-os.html
2006 MID-TERM ELECTION FRAUD FLASH ALERT!
YET ANOTHER MAJOR REPORT CHALLENGES SECURITY OF ELECTRONIC VOTING / UCONN VOTER CENTER REPORT: DIEBOLD AV-OS IS VULNERABLE TO SERIOUS HACKER ATTACKS! / WILL BUSH's NEOCONS STEAL THEIR 3rd ELECTION AND GET AWAY WITH IT?!
By Avi Rubin, Avi Rubin's Blog
Friday, November 3, 2006
A powerful new report: http://voter.engr.uconn.edu/voter/Reports.html
was released yesterday about the Diebold AccuVote Optical Scan voting terminal
(AV-OS). This is a thorough and independent security analysis of the machines
that will be used in Connecticut to count votes on November 7. It is based on
hands-on experimentation with the system, and is thus more like the Princeton
study of the Accuvote TS than my team's earlier source code analysis.
Like the Princeton team, the UConn researchers had no access to any internal
documentation from the vendor, no source code, or any other information that
would have given them an advantage over a random attacker who happened to get
access to the machine. Everything they needed to know to perform the attacks was
done by reverse engineering the system and observing its behavior.
The evaluation was done as part of an evaluation on behalf of the state of
Connecticut. They should be commended for not only allowing, but for requesting
this study. The report published on their web site explains the attacks in
enough detail to be convincing, but some low level details are reserved for
another copy of the paper that is only available from the authors by request.
The authors show that "even if the memory card is sealed and pre-election
testing is performed, one can carry out a devastating array of attacks against
an election using only off-the-shelf equipment and without having ever to access
the card physically or opening the AV-OS system box."
The attacks presented in the paper include manipulating the count so that no
votes for a particular candidate are counted, swapping votes for two candidates,
and reporting the results incorrectly based on biases that are triggered under
certain conditions. The attacks in this paper are cleverly designed
to make a
compromised machine appear to work correctly when the system's audit reports are
evaluated or when the machine is subjected to pre-election testing.
Besides manipulation of the voting machine totals and reports, the authors
explain how any voter can vote an arbitrary number of times using (get this),
Post-it notes, if the voter is left unattended.
The attacks are possible because
of serious security vulnerabilities that could have been prevented with proper
security design.
For example, if a serial cable is connected to the AV-OS, an attacker with a
laptop can easily obtain a dump of the memory card contents. The dump is
obtained in cleartext because the system performs no authentication of any
computer that is connected on that port. The dump can be very useful for an
attacker, for example, to reconstruct the password and audit records associated
with the memory card.
The communication between the voting machine and the GEMS tabulation system is
unencrypted and unauthenticated. Instead, they use a CRC as a checksum. In our
2003 report, we identified this as a weakness in the Diebold Accuvote TS because
CRCs are easily broken. The authors of the new report show how to spoof the GEMS
server to the AV-OS, which forms the basis of many of their attacks.
The authors also validate some of the attacks presented earlier by Harri Hursti.
They report that the executable code on the memory cards (!!) can be changed so
that the counter values change. Reading this report was a hair raising
experience for me.
Diebold has clearly not learned any of the lessons from our
2003 report, and it is startling to see that their optical scan ballot counter
is as vulnerable to tampering, vote rigging, and incorrect tabulation as the DRE.
The big difference, of course, is that optical scanners can be audited. Ballots
counted by hand can be compared to the totals of the AV-OS, and machines
tabulating incorrectly can be identified. This report highlights the dangers of
trusting any component of a voting system that is software based, and the
importance of widespread random audits.
With optical scan technologies, we can have a secure election even if the
systems cheat, due to the opportunity to audit and perform recounts.
With DREs,
we are left with whatever results the machines compute. I strongly urge everyone
to read this new report out of Uconn:
http://voter.engr.uconn.edu/voter/Reports.html
.
###
ELECTRONIC VOTING NEWS & INFORMATION: http://tinyurl.com/pf5ol
~~~~~~~~~
Notable Quotables:
"Republics are
created by the virtue, public spirit, and intelligence of the citizens.
They fall, when the wise are banished from the public councils,
because they dare to be honest,
and the
profligate are rewarded, because they flatter the people,
in
order to betray them."
--Joseph
Story
"Most people would
sooner die
than think;
in fact, they do so."
- Bertrand Russell
.
"What
luck for the rulers that men
do not think."
-Adolf Hitler
"Tyranny hates
reason! Tyranny hates honor! This is because
Tyranny is overcome by REASON and HONOR.
It is Folly and Fear that is the food of Tyrants.
Tyranny thrives in a climate of dishonor and
tolerance for dishonor.
Turn on the lamp of truth and
justice and tyrants flee to hide."
- Reinhold Sommerstedt
"Such is the irresistible nature
of truth
that all it asks,
and all it wants, is the liberty of appearing."
--Thomas Paine
"When I despair, I remember that all through
history the way of truth and
love has always won. There have been tyrants and murderers and for a time
they seem invincible but in the end, they always fall -- think of it, ALWAYS."
-- “Mahatma” (Great
Soul) Gandhi
When freedom is corrupted by
stealth electioneering...
"Those who vote decide nothing.
Those who count the vote
decide everything."
- Joseph Stalin
~~~~~~~~~
CopyRound 2006
Worldwide LOVE Foundation
all rights well-rounded
G.O.D
VISION
-LOVE
MODEL-
the heart & mind of
Global TeLeCommunity:
High touch HEART
of high tech
with a higher understanding of LOVE
Defining, Refining, Combining and Shining
Our God-given Gifts and Talents via Net
Standards
For Net Freedom based on
LOVE-centric Net worth.
SUPPORT THE LOVE NETWORK
To love with all your heart and all your mind and all your soul,
and your Netizen neighbor in our Global Village as thyself.
SUBSCRIBE