Diebold Hursti hack (and PC R us)

In today's IT Blogwatch, we look at the disasterous dumping of dastardly Diebold voting machines by a Florida county. Not to mention the British blogger who tries desparately not to use the C-word, after recently moving to the US ...

Diebold out of Leon County, Fla., as reported by Marc L. Songini: "The commission vote was 7-0 ... The primary reason Sancho cited for ditching the Diebold machines is the need to comply with the federal Help America Vote Act (HAVA) and Florida state elections laws without having to install touch-screen equipment ... Leon County this week also sponsored two hacking events of the Diebold AccuVote optical scan systems, demonstrating vulnerabilities in the memory card ... A Diebold spokesman dismissed those concerns, saying the company hasn't been able to participate directly in the hacking attempts, which invalidates them." [And is presumably taking his ball home, because people won't play by his rules?]

» Jim March, the self-styled "Citizen Watchdog," tells us, "On Tuesday, the most serious 'hack' demonstration to date took place ... Finnish security expert Harri Hursti, together with Black Box Voting, demonstrated that Diebold made misrepresentations to Secretaries of State across the nation when Diebold claimed votes could not be changed on the 'memory card' (the credit-card-sized ballot box used by computerized voting machines) ... It is a particularly dangerous exploit, because it changes votes in a one-step process that will not be detected in any normal canvassing procedure ... it requires only a small piece of equipment which can be purchased off the Internet for a few hundred dollars."

» Mike, Techdirt:  "We avoided posting yesterday's news that Diebold's CEO had stepped down, as there wasn't a clear connection to the technology questions ... BlackBoxVoting is claiming the latest series of hack tests in Florida have convinced some election officials there to 'never again use Diebold in an election.' The hack test is simply an update on an earlier hack test that was done last summer, showing problems with Diebold's equipment. Of course, we haven't seen any other reports confirming this ... It would be nice to get some independent confirmation on this story ... At the very least, all of these questions should, once again, make election officials demand more openness from the company."

[But according to the next post, it's a little more than just an 'update'...]

» BBV Admin: "Whereas the tests on May 26 proved that it is possible to manipulate voting machine results reports and proved that you can pre-stuff the ballot box, we still had not achieved proof of concept for the theory that you can falsify a zero report at the same time as pre-stuffing the ballot box, nor had we yet proved that the pre-stuffed ballot box will work properly after running ballots through the machine, nor had we yet proved that such altered data could be uploaded into GEMS without triggering error messages. On Dec. 13, Hursti proved that the entire system can be compromised without producing error messages and without leaving a trace, using nothing but a memory card."

» Bruce Schneier: "This is my 2004 essay on the problems with electronic voting machines. The solution is straightforward: machines need voter-verifiable paper audit trails, and all software must be open to public scrutiny. This is not a partisan issue: election irregularities have affected people in both parties."

» Kvatch: "In California we're still waiting on such a test, and it's high time Secretary of State McPherson pulled his head out of his ass and got on with it."

Buffer overflow:

And finally...  Scalix blogger "ravelox" tries desparately not to use the C-word

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. Also contributing to today's post: Judi Dey, our very own Antipodean.

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon