another example of irresponsible people

I read about anotherone this weekend.

Some guys at a socalled university, one is named Rubin and also some chinese guy, are attacking the DIEBOLD company and have publisized how to violate the security of VOTING MACHINES!

Diebold makes high security safes and I doubt the method they claim works (naturally they didnt bother to test it in the REAL WORLD). Isnt this typical. There is no need to print this stuff in a newspaper. If it works which I seriously DOUBT they will be doing alot of serious damage. They should just have told the company the concerns and only publisized it if they didnt listen. DIEBOLD makes a good product.

This is the typical mentality of these jackasses. No matter what the harm. No ethics at all.

Ed "Lockie" NYC Locksmith, Retired.

Reply to
lockie
Loading thread data ...

thats a 'nothing story'

the one I heard is the elections in Florida? the voting machines? supposedly provided by the brother in law of gov Jeb.

--Shiva-- nuk pu nuk

Reply to
--Shiva--

You know you contribute a lot of useful info to this NG, but you also post a number of things that are highly questionable as far as validity w/o any source for the information whatsoever.

Reply to
Putyourspamhere

Actually in the case of voting machines I would lean more toward releasing the information. If they are flawed to the degree that they can be easily compromised or that the allegation can be made that they were compromised then the problem should be eliminated. Also and perhaps more importantly the oportunity to use or I should say misuse the information is limited to the next election where said machines are used.

Reply to
Putyourspamhere

I SAID, since you cannot comprehend ENGLISH....I HEARD...see above^^^^^^^

''''''supposedly''''''''

did I VERIFY? no, I didnt hop in my plane and fly down there and LOOK... It was sent to me through a large email list that is keeping up on POLITICAL crap... THERE on that list it was not disputed...and a lot of those folks DO live in Florida...

--Shiva-- nuk pu nuk

Reply to
--Shiva--

PS.

Shiva I'm really not trying to flame you. I'm just saying that there is already a ton of unsubstantiated stuff all over the web. Is it really so hard to just say where the information came from to avoid adding to it?

Reply to
Putyourspamhere

Do a google on "voting machine security". There is more here than one newspaper article. This is really an IT security issue. I know Diebold has been around for a 100 years but competence in building safes doesn't necessarily translate to competence in other areas. Some aspects of Diebolds response to the JohnsHopkins researchers are a little fishy as well. Namely Diebold has stated that part of the specified problem is not really a prolem since the machines are not connected to the net. However from what i read they do appear to have dialup connection. So without appropriate controls there may in fact be a way to acccess a machine remotely.

Reply to
Jim Gaynor

Do you have *any* evidence for this whatsoever?

^^^^^^^^^^^^ What kind of people do you think they are?

If it is made up - then why do you care if it is publicized? Your concern on this point shows that you are convinced (or afraid) they they have found real holes in the software.

As far as testing in the "REAL WORLD" goes - isn't running it on a

*REAL* computer such a test?

Evidence?

Diebold seems to be denying that anything is wrong that needs fixing.

What is the ethical problem? (Note that in this case we are discussing software, not locking hardware.)

Do you have any information whatsoever about the quality of Diebold's

*SOFTWARE* products?
Reply to
Henry E Schaffer

Understandable since testing what you are talking about in the "real world" would likely result in felony charges.

If that's the case then why are you so worried? Publicizing "fake" security flaws/exploits isn't a threat to anyones security.

Then Diebold can sue in court.

Well in this particular case what we have is a supposed security flaw which cannot be exploited by anyone in the real world until there is an election using the effected machines. Consequently what is the real and immediate harm? On the other hand if the machines were not fixed by eclection time and even the allegation was made that this flaw was expoited by someone there would be a serious mess.

Reply to
Putyourspamhere

Here is one article on this that quotes Diebold as saying:

"the software code they evaluated, while sharing similarities to the current code, is outdated and was never used in an actual election. In addition, similar to any of our software products, Diebold Election Systems constantly updates its software to meet certification requirements."

formatting link
If true this would appear to make the whole thing a non-issue, past, present, or future.

Reply to
Putyourspamhere

The article I just l " For one thing, the electronic voting system could be easily exploited by an individual or group intent on tampering with election results. The researchers pointed to the smart card necessary to use the machine to cast a single ballot. The researchers said it would be easy to program a counterfeit card, hide it in a pocket and then use it inside the booth to cast multiple votes.

"

So it appears that remote access is not required. However the same article also quoted Diebold as saying:

"the software code they evaluated, while sharing similarities to the current code, is outdated and was never used in an actual election. In addition, similar to any of our software products, Diebold Election Systems constantly updates its software to meet certification requirements."

So maybe it is not truely an issue either way.

Reply to
Putyourspamhere

I'm more cynical about corporate CYA statements. They admit "sharing similarities" - that certainly is less than a statement that the security holes don't appear in their production code!

What exactly are the "certification requirements" that DES meets? I don't know, and the article doesn't say.

Reply to
Henry E Schaffer

re: trust in Diebold's election software:

If you are interested in such software, you may enjoy reading:

formatting link
A U.S. Election Vote Counting Program By Bev Harris

Introduction

According to election industry officials, electronic voting systems are absolutely secure, because they are protected by passwords and tamperproof audit logs. But the passwords can easily be bypassed, and in fact the audit logs can be altered. Worse, the votes can be changed without anyone knowing, even the County Election Supervisor who runs the election system. ...

Reply to
Henry E Schaffer

Please also note that the computerized voting systems in Florida and New Jersey (among others) were sold to the state with a contract that explicitly, prohibited auditing or testing the units by anyone other than the seller. This prohibition included the states that bought the units. This is scary enough, but they also prohibited the state from examining the software running on the systems.

The seller certified that the voting systems were secure and accurate.

Imagine a company selling locks that was able to impose fines upon anyone examining or disassembing the locks. Imagine not being allowed to look at the door to see if it had been jimmied?

So maybe (in this case) the disclosure is a proper thing to do.

Daniel

Reply to
dbs

Well the truth is out now. "Professor" Rubin worked for Diebolds competition. He had to "resign" from the company and will probably be getting fired from his school over this.

Look at

formatting link
and also
formatting link
Ed "Lockie" NYC Locksmith, Retired

PS Also this reminds me exactly of the Matt Blaze idiot. Shoot from the hip without revealing financials or knowing what your talking about. Who was paying Blaze to disrupt the lock industry I wonder?

Reply to
lockie

that's nice and all....

except Rubin is far from the only person in computer security to comment on the sad state of electronic voting security.

Bruce Scheiner is another guy who hates it- he's written a cogent introduction for the non-Infosec guy in _Beyond Fear_.

Bruce runs his own Net security monitoring firm, he doesn't make shit from voting machines.

I don't think you can find very many people who work with computer security and stuff like voting who actually WANT voting to become electronic.

and your argument also doesn't take away from the fact that Diebold has shitty ass security.

they can't even secure their f****ng intranet, and they are supposed to be securing voting machines?

formatting link
guess what, they are even getting dissed in cryptographic circles because the MORONS took a f****ng random number generator out of a textbook on cryptography that specifically warns you it is an example and should NOT be used in real cryptography!!!!

oh, just found another wonderful little gem-

formatting link
the DIPSHITS at Diebold use voting machines with INCREDIBLY INSECURE wireless cards attached!

this means I can sit outside a polling place with a laptop and appropriate radio card and SCREW WITH THE VOTING MACHINES!!!!

Diebold is putting the Infosec equivalent of a cheap Pakistani lock on a rotten wood door that needs a Medeco or other high-sec lock with reinforced everything instead.

I can name you one prominent guy who works with computer security and voting who thinks that voting should be electronic- and EVEN HE says that going to commercial manufacturers for voting machines is a terrible idea!

in conclusion, I leave you with this website-

formatting link
if you read this and still think electronic vote fraud is "just a scam by a computer security guy", you should set down your toolkit and quit security.

it also points out how Diebold has massive conflicts of interest... like the fact the CEO of Diebold is a major Republican fundraiser who promised in a letter to fundraisers to "deliver the election for George W. Bush"...

or how a review panel in Maryland auditing the security of voting machines has people linked to Diebold on the independent audit committee!!!

Reply to
RobRPM2222

please watch your language. there are women that frequent this group.

thanks for your consideration

Reply to
"Key

Citation?

Right. A search for the *extensive* work of Rebecca Mecuri of Bryn Mawr College might be interesting.

He's a very respected computer scientist and cryptographer - assuming you mean Bruce Schneier.

Reply to
Henry E Schaffer

sorry dude.

posted when I was tired and I assumed this was pretty much an all-male group. Most of the mech. trades I've been familar with, that has been the case.

Information security/computer science isn't totally male either, but the women are few and far between, and generally don't care about the cussin'.

probably could have taken out the repeated cursing whether this was an all-male group or not.

Reply to
RobRPM2222

an all-male group.

been the case.

either, but the women

the cussin'.

this was an all-male

many ways to hurt

everyone

them." - Dan Inosanto

Thanks for your consideration Rob

g'day

Reply to
"Key

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.