http://www.miami.com/mld/miamiherald/14803773.htm By FRED GRIMM fgrimm at MiamiHerald.com Jun. 13, 2006 For a county supervisor of elections needing someone to test the vulnerabilities of his voting system, Dan Wallach's the man. Wallach, who runs the security computer lab at Rice University, is a nationally regarded expert on computer network security and voting system vulnerabilities. He's associate director of ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). Besides, his parents live in Lauderdale-by-the-Sea. He is a perfect choice. But not in Florida. Wallach and his associates at ACCURATE may represent academia's leading experts on voting system security, but under the new rules promulgated by the Florida Secretary of State, they don't qualify. Any security test, the secretary of state's office insists, must be performed by someone certified by the American Software Testing Qualifications Board, the American Society for Quality or the EC (E-Commerce) Council. Not only is Wallach not certified by the three organizations, ''I've never heard of them,'' he says. TRAINING COURSE Actually, the first two organizations are concerned with the overall quality of manufactured software, not security. The EC Council website offers a five-day training course into something called ''ethical hacking.'' Five days of training, under the new rules, would trump the most sophisticated résumés in computer science. Computer professor David Dill, of Stanford University, who served on California's Ad Hoc Task Force on Touch Screen Voting, and whose degree -- not the five-day kind -- comes from MIT, added his apprehensions to the comments on the proposed rules the Florida Secretary of State's office collected Monday. He said they would ``would exclude the most competent evaluators, such as those who have found most of the reported security holes in existing voting systems. ''I have checked with several computer security experts, who not only do not have these qualifications, but, like me, have never heard of them. A little research on the Web reveals these certifications to be of dubious relevance to voting system evaluation,'' Dill wrote. Other rules would require that the voting-machine vendors and the secretary's office get advance notice of any security test. And a supervisor of elections contemplating a security test must first take special pains to protect the machine manufacturer's secret operating code. CERTIFIED HACKERS Wallach and Dill seemed puzzled. Wallach noted that a voting machine ought to be secure no matter who tries to hack the system. The notion that a would-be hacker must first be properly certified and possess special qualifications (like a five-day online course), and the vendors need advance notice becomes utterly irrelevant in cyberspace. ''If someone is malicious and his goal is to throw the election, they're not going to ask permission.'' Wallach said. Of course, the new rules aren't really about protecting the integrity of elections. Only one Florida supervisor of elections allowed outside experts to test his voting system security. And when Ion Sancho's hackers discovered they could alter the outcome of an election and wipe out all trace of the tampering last year, it was a huge embarrassment to the Secretary of State's office. Instead of trying to fix the flaws, state officials and Diebold -- a maker of voting machines -- went after Sancho, disparaging his findings and suggested that he ought to be tossed from office. Then California -- not Florida -- directed a panel of computer science experts to look into the Leon County findings. The panel found the same flaws and more. Florida election bureaucrats were humiliated. ''The new rules are designed to make sure that they're never embarrassed again, '' Sancho said Monday. Florida first priority is to protect the vendors. We'll let California worry about the damn voters. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed Jun 14 2006 - 01:12:35 PDT