Re: Diebold firmware 1.94W v 1.96

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Thu Aug 16 2007 - 13:49:48 CDT

Nancy,
It's time to stop defending against diebold and go on the offensive. That is make Diebold prove it's claim.

Fortunately the CA reports did exactly this: Here's an excerpt from Ed Felton's blog that gives you the ammo you need:

"Some of these are problems that the vendors claimed to have fixed years ago. For example, Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was “resolved in subsequent versions of the software”. Yet the current version still uses at least two hard-coded passwords — one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).

Similarly, Diebold in 2003 ridiculed (p. 6) the idea that their software could suffer from buffer overflows: “Unlike a Web server or other Internet enabled applications, the code is not vulnerable to most ‘buffer overflow attacks’ to which the authors [Kohno et al.] refer. This form of attack is almost entirely inapplicable to our application. In the limited number of cases in which it would apply, we have taken the steps necessary to ensure correctness.” Yet the California source code study found several buffer overflow vulnerabilities in Diebold’s systems (e.g., issues 5.1.6, 5.2.3 (”multiple buffer overflows”), and 5.2.18 in the report)."

http://www.freedom-to-tinker.com/?p=1184

Basically we've hear this same song too many times now. "Well those bugs were fixed in the latest release." I even had one person who was working for the SOS tell me that, even though the bug was found in an older version was discovered after the latest release that they might have fixed it in the latest release by accident despite not knowing it was present so he had no reason to believe the bug in the old release was still present. Argg!

And we have all sorts of lies documnent: Diebold and ES&S have both falsely represented code a certified when it was not and ES&S according to rather even represented hardware as passing hummidity test that it did not pass.

The Companies have earned a Guilty until proven innocent rep. They need to open the source and prove any claim they make is true.

-----Original Message-----
>From: Nancy Tobi <nancy.tobi@gmail.com>
>Sent: Aug 16, 2007 9:09 AM
>To: Open Voting Consortium discussion list <ovc-discuss@listman.sonic.net>
>Subject: [OVC-discuss] Diebold firmware 1.94W v 1.96
>
>Does anyone know if there are tests and reports on the Diebold AccuVote
>optical scanner firmware version 1.94w?
>
>Diebold is making claims that the 1.96 tests conducted in California don't
>apply because "it is completely different". But both use the same
>architecture: memory cards, etc. So I would expect the same vulnerabilities,
>such as viral hacking via the memory cards, would be applicable.
>
>Anybody have any technical information or otherwise to help me refute the NH
>Diebold vendor claims?
>
>Thanks.
>
>Nancy
>
>--
>Nancy Tobi
>Chair, Fair Elections Committee
>Legislative Coordinator, Election Defense Alliance
>nancy.tobi@gmail.com
>www.DemocracyForNewHampshire.com
>www.electiondefensealliance.org
>603.315.4500

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Aug 31 23:17:05 2007

This archive was generated by hypermail 2.1.8 : Fri Aug 31 2007 - 23:17:07 CDT