Department of justice news and Diebold hacked!

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Wed Nov 26 2003 - 10:12:09 CST

Two intersting bits of news I came across

1) the US Department of Justice has issued a lengthy opinion that if
voter verifiable hardcopies are not handicapped accessible that this is
okay. that is it violates neither the law or spirit of the HAV act or
the Americans with Disabilities act. The jjist of the argument is that
there is always going to be some inequity and that what we need to
provide is equal access but not a perfectly identical process. At one
point they offer a strawman argument. If you proposed using an audible
verification system for poorly sighted voters then they have a de-facto
different voting experience. If you wanted to get absurd and make all
voters have the identical experience you would have to make sighted
voters use this audio verification system. but then what about deaf
voters?. anyhow that's only part of their analysis to reach that
conclusion. This does not make it law but it clears out a lot of
possible legal challenges.

2) Diebold's most advanced ATMs have been root-level infected with a
windows worm derived from the BLASTER worm.

there are six remarkable features in this incident:

1) this same security hole was also in all of diebold's voting machines
since they run the same OS.

2) The ATMs supposedly are on PRIVATE networks. Many voting machine
manufacturers claim that they are invulnerable to network attacks since
they use private networks isolated from the general internet.

3) This was not a hypothetical security hole, worm attacks were
successful in taking over the machines at two instituion

4) Despite all the banking security and 30 years of development
expertise and basically unlimited testing, they had an unpatched
security hole they did not know about.

5) Even when they did know about it they were slack in getting the
pathces applied and got attacked.

6) its not the first time.

They claim nothing bad happened other than loss of services. But this
is mainly because the worm was just a fortuious infection and not
specifically designed to attack cash machines. That is, it didn't know
what to do to exploit the system (e.g. spit out $20 bills) since it
didn't know it was residing in a cash machine. But if it had known it
would be a different story, the RPC securtiy hole this exploits allows
the worm to implant ANY other viral code and do ANYTHING (i.e.
admin-level) that the system is capable of doing.

this Information was culled from the Information Technology news
magazine, The Register, and was written by the reputable SecurtiyFocus.
http://www.theregister.co.uk/content/55/34175.html

I guess I should add in fairness to Diebold, that the same security
hole was in the Sequia WinEDS vote collection systems. (WinEDS is the
system Sequia sells to collect and manage the votes from the AvcEdge
polling station kiosks. Sequoia will only say their AVC Edge systems
are based on a proprietary OS, not on windows. This of course does not
mean they dont use code modules derived or shared by windows and it
doesn't mean they do. It just means no one besides sequoia knows.
And of course Microsoft windows is not the only software that has had
bugs. )
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Nov 30 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST