Why procedural guards matter more than technical ones

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Mon Jun 14 2004 - 11:20:18 CDT

"Douglas W. Jones" <jones@cs.uiowa.edu> wrote:
|It's very different to inspect it to assure yourself that the BIOS is
|the right one. Sadly, a modern PC BIOS is big enough to do harm.
|This is getting harder. Flash memory is becoming more and more
|common, and it's very hard to recognize.

I know my sketch didn't go through everything conceivable. It was
merely to point readers in the right direction. But everything
else--mainly more details about chain-of-custody--amounts to more
PROCEDURAL safeguards, none of them particularly TECHNICAL.

I probably should have thrown in a step in there where poll workers turn
on a voting station with no CD inserted, and see that it really does
fail to boot (with a message along the lines of "No HDD detected").
Then when they boot from CD, they're pretty (darn) confident that the
software running is the stuff on the MD5-verified CD.

I know, I know... THEORETICALLY you can imagine a sufficiently
malicious BIOS that bothers to look for a CD boot media with voting
stuff on it, and *only* then substitutes a malicious boot sequence that
is actually performed from flash memory, and runs Scam-A-Vote instead of
EVMix (but presents forged welcome screens, etc).

It's all perfectly fun to imagine this sort of theoretical attack,
carried out by vast conspiracies of extremely skilled hackers. And how
to defend against these with dedicated memory dump ports, spectral
analysis of machine emissions, and other cool spy gadgets.

But the question that actually came up in Miami-Dade (or in Orange
County, or lots of other places) is much more banal. You observed very
correctly that it is "hard to determine what software is running" on
those machines. This is absolutely true in the plain old procedural
sense that ESS/Diebold technicians were given all the access they wanted
to install uncertified patches to the system. And given the proprietary
software (and the fact it ran on arcane Windows, from a HDD), there was
no way to check any of it other than the self-test messages the software
displayed.

All a hacker--or even just a sloppy programmer--needed to do to push an
undetectable change was not change the displayed self-test message....
heck, I've released versions of Gnosis Utilities where I forgot to
update the version string. No intention of foul play was involved, nor
was any of the source code in any way hidden even... I just got lazy.
And once I noticed it, I slipstreamed the correction into the FTP site
under the identical name as the other archive. Both steps are things we
DO NOT want voting software to do, of course, as innocuous as they
actually were for a general purpose library.

Real world concerns are, and should be, for the procedural problems
remedied by more careful source control and release signatures. And
handling of physical components. Complexly altered BIOSs covertly
installed onto thousands of warehoused (or multi-use) PCs is *WAY* down
my list of concerns. It borders on sophism.

Yours, David...
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Jun 30 23:17:15 2004

This archive was generated by hypermail 2.1.8 : Wed Jun 30 2004 - 23:17:30 CDT